A Deep Dive into Data Privacy: It’s Not Just Big Companies, Folks

IT is grappling with how to protect sensitive data, making the state of data privacy worrisome no matter how big or small the organization is. Smaller companies care about data privacy just as much as big ones do, but they’re ill-equipped to do much about it. Large enterprises take more measures to deal with the issue, but they aren’t that successful, either.

When we talk about topics like IT governance, data privacy, and information security, there’s a tendency to imagine that these issues apply primarily to large companies with household names. As if smaller organizations don’t … well, not exactly don’t care, but they have so much to juggle, and fewer IT staff available to do the juggling, that such matters get little attention.

As it turns out, that’s not precisely so. Small and mid size businesses care about data privacy. They care a lot.

A recent report among IT and business professionals responsible for corporate data, sponsored by by Druva, shows that 93% of respondents across company size are challenged by data privacy. (You can download the report to see the results yourself, or get a broad overview from this infographic.)

However, differences emerge when we drive a little deeper into the data to learn how company size affects organizational behavior regarding privacy safeguards. Nominally the data is less trustworthy – the sample size for each category gets somewhat small – but the trends are clear enough that you and I can draw some useful (if not precisely scientific) conclusions.

Larger organizations put more energy into protecting the privacy of sensitive data; after all, they have to contend with greater risks. A single stumble can result in major corporate embarrassment, such as millions of customer records being stolen. So we see 77% of businesses with more than 5,000 employees investing more effort into this initiative in 2015, as are 100% of companies with 1,000-5,000 employees.

But data privacy urgency affects smaller businesses, too, because you don’t need to be a big organization to have your finger on personally identifiable or other private data. In even the tiniest companies, those with under 100 employees, 83% are investing more in data privacy protection this year; so are 72% of those with 100-1,000 employees.

What’s different is not the perceived urgency of data privacy and other privacy/security matters. It’s what companies are prepared (and funded) to do about it.

Large companies have more resources, such as the opportunity to offer and enforce employee training. And indeed, when it comes to training employees on data privacy, 82% of the largest organizations do tell the people who work for them the right way to handle personally identifiable data and other sensitive information. Similarly, 71% of the businesses with 1,000-5,000 employees offer such training.

However, even though smaller companies are equally concerned about the subject, that concern does not trickle down to the employees quite so effectively. Half of the midsize businesses offer no such training; just 39% of organizations with under 100 employees regularly train employees on data privacy.

Another example of the difference in organizational behavior is security audits. It’s become commonplace, if not exactly routine, for organizations to conduct regular security audits to ensure compliance with data security standards. These are conventionally done in large organizations (in this study, 91% of the businesses with over 5,000 employees do regular security audits) though they are less frequent in smaller businesses (about half of companies with fewer than 1,000 employees have regular security audits).

On the other hand, data privacy audits are far less common. Just 54% of companies overall do data privacy audits regularly (compared to two thirds who do security audits), most commonly in the largest organizations (among the large enterprises, four in five regularly do data privacy audits… which means about 20% aren’t policing their practices). In contrast, only 28% of businesses with under 100 employees do these kind of audits.

Auditing business practices (in any context) measures how well an organization complies with the way things are supposed to be done.

Obviously, breaches happen even in very large companies with security teams, audits, and privacy controls. More needs to be done before IT has the controls in place to properly protect sensitive data.

So what’s the bottom line? Data privacy is becoming ever more important to businesses of all sizes. While a data breach at a big company may get the headlines, smaller organizations are also at risk; after all, they’re dealing with the same personal data and the same government and industry regulations.

The research suggests that data privacy is being treated as an afterthought to security, an alarming fact considering the rate of cloud adoption and volume of sensitive personal data. Increased attention to the risks and greater investment in employee awareness, audits and technology safeguards can help to address the challenge. That especially important for companies that deal with sensitive data, are moving it to the cloud, and express concern about it. And that’s pretty much everyone.